(RHCSA) Manage Security

This is part of the RHCSA Exam Study Guide series

avatar Jonas B. Rossi

Sep 15, 2021 β€’ edited Mar 29, 2022 β€’ 8 minutes to read

image

This is part of the independent and unofficial RHCSA Exam Study Guide series providing free πŸ€‘ resources for prepare for the exam.

This post covers the objectives under the section:

β€œMANAGE SECURITY”

It contains two main parts:

  • Resources: with links to learn and practice for each objective.
  • Cheatsheet: containing some examples of commands and actions performed in each objective (when applied).

πŸ“š Resources:

CONFIGURE FIREWALL SETTINGS USING FIREWALL-CMD/FIREWALLD

(This objective is also covered in: β€œmanage basic networking / restrict network access using firewall-cmd/firewall”)

CREATE AND USE FILE ACCESS CONTROL LISTS
CONFIGURE KEY-BASED AUTHENTICATION FOR SSH
SET ENFORCING AND PERMISSIVE MODES FOR SELINUX
LIST AND IDENTIFY SELINUX FILE AND PROCESS CONTEXT
RESTORE DEFAULT FILE CONTEXTS
USE BOOLEAN SETTINGS TO MODIFY SYSTEM SELINUX SETTINGS
DIAGNOSE AND ADDRESS ROUTINE SELINUX POLICY VIOLATIONS

πŸ“‘ Cheatsheet:

CONFIGURE FIREWALL SETTINGS USING FIREWALL-CMD/FIREWALLD

  • firewall-cmd --list-services --zone public, cat /etc/firewalld/zones/public.xml ➑ list allowed services for specific zone.

  • firewall-cmd --reload ➑ apply changes.

  • firewall-cmd --add-port "8000-8005/udp" --zone trusted --permanent ➑ permanently allow protocol on specified port range on trusted zone.

  • firewall-cmd --panic-on ➑ start panic mode, blocking any access from outside.

  • firewall-cmd --zone=drop --add-source=192.168.122.191/24 ➑ add determined ip to drop zone wich drop packets.

  • firewall-cmd --zone=drop --remove-source=192.168.122.191/24 ➑ remove determined ip from drop zone.

  • firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.122.33 drop' ➑ add rich rule to drop packets from determined ip.

  • firewall-cmd --state, systemctl status firewalld ➑ check if the service is enabled and active.

  • firewall-cmd --get-default-zone ➑ display default zone name.

  • firewall-cmd --get-active-zones ➑ display active zones.

  • firewall-cmd --get-zones ➑ display all available zones.

  • firewall-cmd --set-default-zone=home ➑ set default zone to home.

  • firewall-cmd --list-all ➑ display information about the defualt zone.

  • firewall-cmd --list-all --zone=home ➑ display information about home zone.

  • firewall-cmd --list-all-zones ➑ list all zones.

  • firewall-cmd --list-services ➑ list allowed services in the current zone.

  • firewall-cmd --list-ports ➑ list allowed ports in the current zone.

  • firewall-cmd --zone=public --list-services ➑ list allowed services for the specific zone.

  • Permanently add a Port to a zone:

    • firewall-cmd --add-port 443/tcp --zone=public --permanent ➑ add port to public zone.

    • firewall-cmd --reload ➑ reload to apply the changes.

  • Permanently add a Service to a zone:

    • firewall-cmd --add-service=httpd --zone=public ➑ add port to public zone.

    • firewall-cmd --runtime-to-permanent ➑ make changes persist.

  • firewall-cmd --change-interface=enp7s0 --zone=home --permanent ➑ change specified interface to specified zone.

CREATE AND USE FILE ACCESS CONTROL LISTS

  • setfacl -m u:user100:6 file1, setfacl -m u:user100:rw file1 ➑ gives user100 read and write permissions on file1 by using Access Control Lists (ACLs).

  • setfacl -dm u:user100:7,u:user200:rwx projects/ ➑ allocate default rwx permissions to user100 and user200 on projects/ dir.

  • setfacl -m m:r file1 ➑ set mask limitiation to only read access on file1.

  • getfacl file1 -c ➑ display ACL properties for file1 and omit headers.

  • setfacl -x u:user100 file1 ➑ removes any user100 ➑ ACL permissions for file1.

  • setfacl -k projects/ ➑ deletes default ACL permissions for projects/ directory.

  • setfacl -b file1 ➑ resets ACL permissions for file1.

CONFIGURE KEY-BASED AUTHENTICATION FOR SSH

  • ssh-keygen ➑ start ssh key generator on interactive mode.

  • ssh-keygen -N "" -q ➑ generate RSA keys without password, on silent mode.

  • ssh-copy-id server20 ➑ copy current user’s public key to server20.

  • On /etc/ssh/sshd_config set PermitRootLogin no ➑ disallow root login via ssh, needs sshd to be restarted.

  • tail /var/log/secure ➑ view ssh remote access logs (ssh server).

SET ENFORCING AND PERMISSIVE MODES FOR SELINUX

  • getenforce ➑ displays current mode of operation.

  • setenforce permissive ➑ switch the operating mode to permissive temporarily.

  • Edit /etc/selinux/config file ➑ to permanently switch SELinux operating mode (survive reboots).

  • seinfo -u ➑ (requires setools-console) list SELinux users.

  • semanage login -l ➑ show mapping between Linux user and SELinux user.

  • semanage port -l ➑ list records of the port object type.

  • sestatus ➑ shows SELinux runtime status and Boolean values.

LIST AND IDENTIFY SELINUX FILE AND PROCESS CONTEXT

  • ls -Z ➑ the Z flag available for some commands as id, ps, ls) allows to view SELinux context.

  • ps auxZ | grep -e http -ei label ➑ show detailed info about all http named processes running (diplaying ps header).

  • semanage fcontext -l | grep /var/www/html ➑ display SELinux file contexts for files and dirs whose path contains /var/www/html .

  • chcon -vu user_u -t public_content_t dir1 -R ➑ temporarily modify SELinux user and type on the directory dir1 recursively.

  • Change file context permanently:

    • ls -ldZ ➑ verifiy SELinux context for the directory.

    • semanage fcontext -a -s user_u -t public_content_t '/dir1(/.*)?' ➑ add dir1 recursively to the policy database.

    • restorecon -Rv dir1 ➑ recursively restore default context on files by referencing the files in the /etc/selinux/targeted/contexts/files directory. It relabels, apply the changes.

    • ls -ldZ ➑ verifiy applied changes.

  • man semanage-fcontext ➑ see man page for fcontext subcommand.

  • semanage fcontext -Cl ➑ list recent changes in the policy database.

  • --preserve=context ➑ this flag available for cp command allows to copy preserving SELinux context for the object.

  • semanage port -at http_port_t -p tcp 8010 ➑ add port 8010 with type http_port_t and protocol tcp, to the policy.

  • semanage port -d -p tcp 8010 ➑ delete port 8010 with protocol tcp from the policy.

RESTORE DEFAULT FILE CONTEXTS

  • Use restorecon to restore file contexts changed temporarily by using chcon command! To restore default file contexts changed permanently on files/dirs, semanage fcontext -D must be used!

  • Reset file context permanently:

    • ls -ldZ ➑ verifiy SELinux context for the directory.

    • semanage fcontext -D '/dir1(/.*)?' ➑ delete all local customizations por specified directory, recursively.

    • restorecon -Rv dir1 ➑ apply changes.

    • ls -ldZ ➑ verifiy applied changes.

USE BOOLEAN SETTINGS TO MODIFY SYSTEM SELINUX SETTINGS

  • getsebool -a, sestatus -b, semanage boolean -l ➑ list SELinux boolean state.

  • setsebool nfs_export_all_rw 0 ➑ temporarily set nfs_export_all_rw boolean to off.

  • setsebool -P nfs_export_all_rw 0 ➑ persistently set nfs_export_all_rw boolean to off.

DIAGNOSE AND ADDRESS ROUTINE SELINUX POLICY VIOLATIONS

  • sealert -a /var/log/audit/audit.log && sealert -a /var/log/messages ➑ Display SELinux policy violations.

  • journalctl -t setroubleshoot ➑ see alert provided by systemd journal.

  • ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent ➑ use ausearch tool to query Audit logs.

  • sealert -l 97a1c0df-81ed-4c08-ba27-41c5067b713b ➑ Display alert event.

  • grep 1415714880.156:29 /var/log/audit/audit.log | audit2why ➑ use audit2why tool to help adressing an issue.

  • matchpathcon -V /var/www/html/* ➑ check the context and compare it to the default label for this path.

Next:

(RHCSA) Manage Containers

…or back to Red Hat Certified System Administrator (RHCSA) Exam Study Guide

Useful links & references:

Footnotes:

  • Follow me on Twitter to get more posts like this and other quick tips in your feed.
  • If you have any doubts or tips about this article, I’d appreciate knowing and discussing it via email.
  • Do you have any other Linux tips? Would you like to publish that in this blog? Please send an email to all drops.
  • As English is not my native language, I apologize for the errors. Corrections are welcome.
  • Contact: contact [@] alldrops [.] info.

categories: linux

tags: linuxred hatRHELRHCSA

Read more on linux drops: